Chosen-ciphertext Secure Encryption from Hard Algebraic Set Systems

Chosen-ciphertext Secure Encryption from

Hard Algebraic Set Systems

Ronald Cramer1 _{Dennis Hofheinz}2 _{Eike Kiltz}3

March 27, 2009

Abstract

We put forward the new abstract framework of hard algebraic set systems that allows to construct ecient chosen-ciphertext secure encryption schemes under computational (rather than decisional) intractability assumptions. Our framework can be instantiated with both RSA and Die-Hellman type assumptions, but in itself is completely abstract.

Keywords: public-key encryption, chosen-ciphertext security.

1 Introduction

One of the main elds of interest in cryptography is the design and the analysis of the security of encryption schemes in the public-key setting (PKE schemes). The notion of security against chosen-ciphertext attack (IND-CCA security) is due to Racko and Simon [24] and is now widely accepted as the standard security notion for public-key encryption schemes. In contrast to security against passive adversaries (security against chosen-plaintext attacks aka semantic security), in a chosen-ciphertext attack the adversary plays an active role by obtaining the decryptions of cipher-texts (or even arbitrary bit-strings) of his choosing. The practical signicance of such attacks was demonstrated by Bleichenbacher [1] by means of anIND-CCAattack against schemes following the encryption standard PKCS #1.

1.1 History

Historically, the rst scheme that was provably secure against IND-CCA attacks is due to Dolev, Dwork, and Naor [10] (building on an earlier result by Naor and Yung [22]). Their generic con-struction is based on enhanced trapdoor permutations. However, in practice these schemes are prohibitively impractical, as they rely on expensive non-interactive zero-knowledge (NIZK) proofs based on the circuit description of the trapdoor permutation. The rst practical schemes prov-ablyIND-CCAsecure under standard cryptographic hardness assumptions were due to Cramer and Shoup [6, 8]. Later, by providing an algebraization of the abstract Naor/Yung paradigm they generalized their initial scheme to the paradigm of hash proof systems [7], thereby yielding new practical schemes from a number of alternative intractability assumptions. Even though the con-cept of hash proof systems is generic, its use in [7] to build encryption schemes inherently relies on decisional assumptions, such as the assumed hardness of deciding if a given integer has a square root modulo a composite number with unknown factorization, or if deciding if a given tuple is a

1_{CWI, Amsterdam, and Leiden University. [email protected].} 2_{CWI, Amsterdam. [email protected].}

Die-Hellman tuple or not (DDH assumption). Particular instances of the HPS-based schemes could later be optimized leading to a number of more ecient schemes (e.g., [20, 12, 19, 14, 18]). However, all of these schemes are based on decisional assumptions (mostly the DDH assumption).

An alternative generic framework of constructing IND-CCA secure encryption schemes is given by the recent concept of lossy trapdoor functions [23] that led to the rst construction based on a (decisional) assumption related to nding shortest vectors on lattices. However, also lossy trapdoor functions inherently rely on decisional assumptions rather than computational assumptions.

In general, decisional assumptions are a much stronger class of assumptions than computational assumptions. For example, deciding if a given integer has a modular square root or not may be much easier than actually computing a square root (or, equivalently, factoring the modulus). Only recently were practical schemes roposed whose IND-CCA security does not rely on decisional assumptions (e.g., [3, 5, 13, 16]). In particular, the rst practical encryption schemeIND-CCAsecure under the Computational Die-Hellman (CDH) assumption was proposed by Cash, Kiltz, and Shoup [5] in 2008, and improved by Hanaoka and Kurosawa [13] later that year. In 2009, Hofheinz and Kiltz proposed a very ecient IND-CCA secure encryption scheme under the factoring assumption [16]. However, there seems to be no overarching concept that explains these schemes. Each of these schemes relies on dierent tricks to achieve security, and in particular to conduct a reduction in the security proof.

1.2 Our contribution

In this work, we propose a generic framework that allows to construct and explain practical IND -CCAsecure encryption schemes whose security is based on general widely believed computational in-tractability assumptions. Concretely, we show how to constructIND-CCAsecure encryption schemes from any hard algebraic set system. Roughly, an algebraic set system consists of a nite Abelian groupS, together with a commutative, unitary sub-ringΦof group endomorphisms overSthat full a number of natural algebraic properties. It is a hard algebraic set system if a Die-Hellman style computational problem is intractable. Examples of hard algebraic set systems can be obtained from standard computational assumptions such as the CDH and the RSA assumptions (using hardcore bit extraction). Our main result is an ecient transformation from any hard algebraic set system into a practicalIND-CCAsecure encryption scheme. We remark that our approach is dierent from known generic constructions: while the Naor/Yung [22] and the HPS-based framework [7] basically uses double-encryption (bootstrapped from the trapdoor permutation or the HPS) plus a consistency-check, we start from a key-exchange protocol and combine it with a consistency-check and hardcore bit extraction. With respect to the results our construction can be seen as a generalization of the recent specic constructions from computational problems [3, 5, 13, 16].

1.3 Technical details

We now give some technical details of our transformation.

the encapsulated key K=Ext(ψ(u)) to blind the message. (HereExt is an extractor function that is part of the underlying hard computational problem of the algebraic set system.) Decryption reconstructs the key by computing K =Ext(χ(c)). Correctness of the scheme follows since χ and ψ are homomorphisms, i.e.,χ(c) =χ(ψ(g)) =ψ(χ(g)) =ψ(u).

Our IND-CCA secure construction. We augment the above IND-CPA secure construction in a clean and modular way by adding a trapdoor part and a NIZK part to the scheme. The two new parts can be generically constructed from algebraic set systems and the resulting scheme is IND-CCA secure if the old scheme is IND-CPA secure. More concretely, ciphertexts are now tuples of the form (c,d, π), where cis from the IND-CPA construction, dis the trapdoor element, and π is the NIZK element that proves consistency of the ciphertext. We now explain our construction by showing how the dierent parts aect the ability to perform decryption.

The idea behind the trapdoor elementdin the ciphertext is that can be set up by a simulator such

that it is possible to decrypt (without the knowledge of the scheme's secret key χ) all consistent ciphertexts (c,d) except the ciphertext that is used to challenge the adversary (in the security reduction to the IND-CPA secure scheme). This all-but-one simulation technique can be traced back at least to [21], where it was used in the context of pseudorandom functions.1 _{In the encryption}

context, all-but-one simulations have been used in identity-based encryption [2] and were already applied to several encryption schemes in [3, 4, 5, 14, 17, 23, 16].

The above all-but-one simulation technique allows to correctly simulate decryption of arbitrary for consistent ciphertexts(c,d)but consistency can only be checked using the secret key which is not available during simulation. To provide an alternative consistency check we add the NIZK elementπ to the ciphertext. Actually, the NIZK element is generated using a hash proof system [7] and proves that (c,d) is contained in the trapdoor language consisting of all consistent ciphertexts. However, we stress that we use hash proof system techniques here without relying on a (computational or decisional) assumption. Instead, we use a hash proof system only as a NIZK proof, in which case the hash proof system's soundness is information-theoretic.

Our technical contribution (that may be of independent interest) is to bootstrap the trapdoor part and the the NIZK part (i.e., the hash proof system for the trapdoor language) generically from the abstract algebraic properties of algebraic set systems. In contrast to the generic NIZK-based constructions from [10, 22] our constructions are relatively ecient: the key-size and ciphertexts of the obtainedIND-CCAsecure scheme containO(k)elements inS, wherekis the security parameter. In many cases the ciphertexts can be compactied into a constant number of elements inS, giving truly practical schemes.

2 Preliminaries

Generic notation. A probabilistic polynomial-time (PPT) algorithm is a randomized algorithm which runs in strict polynomial time. By k we denote the security parameter, which indicates

1_{We stress that our use of the term all-but-one refers to the ability to generate a secret key that can be used to}

the amount of security we desire. A function f : N → R is negligible if for all c ∈ N, there exists k0 ∈ N such that |f(k)| < k−c for all k > k0. Furthermore, f is overwhelming if 1−f

is negligible. For random variables X and Y, we write X ≈c Y if X and Y are computationally indistinguishable, i.e., if for all PPT algorithms D, we have that Pr[D(X) = 1]−Pr[D(Y) = 1] is negligible. Similarly, we writeX≈s Y if the statistical distance between X andY is negligible. For a vector h= (h1, . . . , h`) and a nonempty setJ ⊆ {1, . . . , `}, we write hJ for the restricted vector

(hi)i∈J. Furthermore, if φ is a function, then φ(h) denotes the component-wise application of φ,

i.e., φ(h) = (φ(hi))i.

Group endomorphisms. For an abelian group, we denote its group operation additively. If S is an abelian group, then End(S) consists of all group-homomorphisms χ :S → S. It has a ring-structure, where point-wise-addition is ring-addition (denoted +) and functional composition is ring-multiplication (denoted ◦). SupposeΦis an additive sub-group of End(R). ThenAnn(Φ)⊂ S, consists of all g∈S for which χ(g) = 0 for all χ∈Φ, and it is a sub-group ofS. A sub-ring of End(R) is unitary if it contains the identity endomorphism.

2.2 Key encapsulation mechanisms

Instead of a public-key encryption scheme we consider the conceptually simpler KEM framework. It is well-known that anIND-CCAsecure KEM combined with a (one-time-)IND-CCAsecure symmetric cipher (DEM) yields a IND-CCA secure public-key encryption scheme [8]. Ecient one-time IND -CCAsecure DEMs can be constructed even without computational assumptions, using an encrypt-then-MAC paradigm [8], or using strong pseudorandom permutations.

Syntactics. A key encapsulation mechanism (KEM)KEM= (Gen,Enc,Dec)consists of three PPT algorithms. Via (pk,sk)← Gen(1k), the key generation algorithm produces public/secret keys for security parameterk∈N; via (K, C)←Enc(pk), the encapsulation algorithm creates a symmetric key2 _{K∈ {0,1}}k _{together with a ciphertextC; via K ←Dec(sk, C), the possessor of secret key sk}

decrypts ciphertextC to get back a keyK which is an element in{0,1}k _{or a special reject symbol}

⊥. For correctness, we require that for all possible k ∈ N, and all (K, C) ← Enc(pk), we have Pr[Dec(sk, C) =K] = 1, where the probability is taken over the choice of(pk,sk)←R Gen(1k), and the coins of all the algorithms in the expression above.

Security. The common requirement for a KEM is indistinguishability against chosen-ciphertext attacks (IND-CCA) [8], where an adversary is allowed to adaptively query a decapsulation oracle with ciphertexts to obtain the corresponding key. Formally:

Denition 1 (IND-CCAsecurity of a KEM). LetKEM= (Gen,Enc,Dec) be a KEM. For any PPT algorithm A, we dene the following experimentsExpCCA_KEM-_,real_A andExpCCA_KEM-_,rand_A :

Experiment ExpCCA_KEM-_,real_A (k) (pk,sk)←R Gen(1k)

(K∗, C∗)←R Enc(pk) ReturnADec(sk,·)_{(pk, K}∗_{, C}∗₎

Experiment ExpCCA_KEM-_,rand_A (k) (pk,sk)←R Gen(1k) R←R{0,1}k

(K∗, C∗)←R Enc(pk) Return ADec(sk,·)_{(pk, R, C}∗₎

In the above experiments, the decryption oracleDec(sk, C)returnsK ←Dec(sk, C), for allC 6=C∗. We dene A's advantage in breaking KEM's IND-CCAsecurity as

AdvCCA_KEM,A(k) := 1 2 Pr

h

ExpCCA_KEM-_,real_A (k) = 1i−PrhExpCCA_KEM-_,rand_A (k) = 1i .

We say that KEM isIND-CCAsecure if AdvCCA_KEM,A is negligible for all PPT A.

As a stepping stone, we will also consider the weaker requirement of IND-CPA security of a KEM. TheIND-CPA security experiment is very similar to theIND-CCA security experiment, only without a decryption oracle for the adversary:

Denition 2 (IND-CPA security of a KEM). Let KEM = (Gen,Enc,Dec) be a KEM. For any PPT algorithm A, we dene the following experiments ExpCPA_KEM-_,real_A and ExpCPA_KEM-_,rand_A as identical to the experiments ExpCCA_KEM-_,real_A andExpCCA_KEM-_,rand_A from Denition 1, only that A does not get access to a decryption oracle Dec. Let

AdvCCA_KEM,A(k) := 1 2 Pr

h

ExpCPA_KEM-_,real_A (k) = 1 i

−Pr h

ExpCPA_KEM-_,rand_A (k) = 1 i

.

We say that KEM isIND-CPA secure if AdvCCA_KEM,A is negligible for all PPT A.

3 Set Systems

Denition 3 (Set system). A set systemSS = (S,Φ) consists of the following

• A nite, non-empty setS.

• A non-empty set Φof functions χ:S→S.

Furthermore, we require that ecient algorithms exist for the following tasks:

• Sampling∗ with the uniform distribution fromS.

• Sampling∗ _{with the uniform distribution fromΦ.}

• Evaluating χ(g) when given χ∈Φand g∈S.

Here, ∗ _{means that it is sucient if sampling can be performed approximatively uniform (that is, if} a distribution can be sampled which is statistically close to uniform).

We stress that while our denitions are typically asymptotic, an explicit security parameter is sometimes suppressed for ease of exposition.

3.2 Hard Set Systems

The following denition encapsulates the computational hardness assumption associated with set systems.

Denition 5 (Hard set system). Let (S,Φ) be a commutative set system, and letExt:S → {0,1}n

be eciently computable. We say that (S,Φ) is a hard set system with randomness extractorExt if

(g, χ(g), ψ(g), E) ≈c (g, χ(g), ψ(g), R),

where g∈S, χ, ψ∈Φ, andR∈ {0,1}n _{are uniformly chosen, and E =Ext(χ(ψ(g))∈ {0,1}}n_.

3.3 Algebraic Set Systems

We now set abstract algebraic conditions that are sucient for the existence of a quite ecient transformation that we will use to achieve CCA security.

Denition 6 (Algebraic set system). A set system(S,Φ)is an algebraic set system if the following algebraic conditions are fullled.

Group structure. S is a nite Abelian group. Recognizability. S is eciently recognizable.

Commutative endomorphisms. Φis a commutative, unitary sub-ring of End(S). Almost-transitivity. A g∈S is called normal if

∀h∈S ∃φ∈Φ : h=φ(g).

We require that a uniformly chosen g∈S is normal with overwhelming probability.

Uniformity. For uniformly choseng, u∈S and χ∈Φ, we have (g, χ(g))≈s (g, u).

Remark 1. If Φ consists of all multiplications by non-negative integers then Φ is a commutative, unitary sub-ring of End(S).

3.4 Examples

Die-Hellman. LetS be a cyclic group G=hgi of prime orderp. We dene Φas

Φ :={χ(g) =gx : x∈_Zp}.

This makes(S,Φ)a set system. (Note thatSalready is eciently recognizable.) Letχ, ψ∈Φ, i.e., χ(g) = gx and ψ(g) = gy, for some x, y ∈ Zp. Now χ(ψ(g)) = (gy)x = gxy = (gx)y =

ψ(χ(g))and therefore(S,Φ)is commutative. SinceSis eciently recognizable, it is also easy to see that(S,Φ) is also algebraic.

If the DDH assumption holds inG, then(S,Φ)is a hard set system with randomness extractor

Ext:G→ {0,1}n, whereExtis an arbitrary pseudorandom generator. If the CDH assumption holds in G, then (S,Φ) is a hard set system with randomness extractor Exts : G → {0,1}. Here,Exts mapsg∈Gto the Goldreich-Levin bitPi=1|g| gisi, where |g|denotes the bit length

RSA. We use the group of signed quadratic residues [15, 11]. Fix a Blum integerN =P Qfor safe primesP, Q≡3 mod 4(such thatP = 2p+ 1and Q= 2q+ 1for primes p, q). Let JN ⊆Z∗N

denote the set of elements with Jacobi symbol 1 modulo N and let QRN ⊂ JN denote the

set of quadratic residues modulo N. Consider the quotient group S := QR+N := QRN/±1.

Together with the group operation a◦b := |a·bmodN| this forms a nite Abelian group of order pq. Furthermore, since QR+_N = J+_N := JN/±1 = {|x| : x ∈ JN}, S is eciently

recognizable. Dene

Φ :={χ(g) =|gx_{| : x∈}

ZbN/4c}.

Observe that we can sample uniformly from S and Φ. Furthermore, (g, χ(g)) is statistically close to(g, u) for uniformg, u ∈S and χ ∈Φ, since bN/4c approximates pq, the order of S, suitably well. This makes(S,Φ) a set system.

Finally, if the RSA assumption holds inZN, then(S,Φ)is also hard with randomness extractor Ext:S→ {0,1}, whereExt mapsg∈S to the least signicant bit LSB(g) of g [11].

4

IND

-

CPA

secure key encapsulation from commutative set systems

Construction 7 (Semantically secure KEM from commutative set systems). Assume that(S,Φ)is a hard commutative set system with randomness extractorExt :S → {0,1}n_{. Then, our basic key}

encapsulation schemeKEM= (Gen,Enc,Dec), which is an obvious abstraction of the Die-Hellman scheme, is dened as follows.

Key Generation. Gen(1k) chooses g ∈ S and χ ∈ Φ uniformly, and computes u = χ(g) ∈ S. Public key is pk = (g, u)∈S×S, and secret key issk =χ∈Φ.

Encapsulation. Given pk = (g, u) ∈ S ×S, Enc chooses ψ ∈ Φ uniformly and computes the ciphertextc=ψ(g)∈S. Next,Enc derives the encapsulated key

K=Ext(ψ(u))∈ {0,1}n. (1)

Decapsulation. Givensk =χ∈Φ andc∈S,Dec computes

χ(c) = (χ◦ψ)(g) = (ψ◦χ)(g) =ψ(u)

to derive the encapsulated key K∈ {0,1}`n _{as in (1). Note that here it is exploited that the}

functions inΦcommute.

Theorem 8 (Construction 7 is an IND-CPA secure KEM). If (S,Φ) is a hard commutative set system, then the KEM from Construction 7 is IND-CPA secure in the sense of Denition 2.

Proof. This follows directly from Denition 5.

5 Hash proof systems

• A nite non-empty setV: this is where the verier samples a secret verication-key from, to enable him to check proofs.

• A nite non-empty set P and a function α : V → P: this maps a verication key to its projection, which is an auxiliary input for the prover to construct a proof.

• A non-empty nite setΠ: this is where proof strings will be sampled from.

Furthermore, ecient algorithms for the following tasks exist.

• Sampling with the uniform distribution from V.

• Computing α(κ)∈ P when given κ∈ V.

• Computing the proof π ∈ Π when given the statement h ∈ L, and either the projection α(κ) along with a witnessφ∈Φ, or, alternatively, the verication keyκ itself.

The following security properties hold, even in the presence of an unbounded adversary.

Completeness. If indeed x ∈ L, a proof π ∈ Π thus computed is accepted when veried using the secret verication keyκ. This verication is performed eciently by the verier.

Soundness. For every x 6∈ L, every projection P ∈ P, and every purported proof π˜ ∈ Π: the probability (over uniform V ∈ V with α(V) =P) that π˜ will be accepted is at least 1−. Non-Interactive Zero-Knowledge. The proof π ∈ Π is unique. In the verication procedure referred

to above, the verier actually rst computes π0 from x ∈ L and the verication key κ. The decision is then made by checking whether π0 = π. In other words, the verier can compute the proof himself from seeing the statement, using his secret verication key.

We will also need the following additional property of a hash proof system:

Denition 10 (Homomorphic HPS). Let S be a group. Let a hash proof system for a language L ⊂ Z ⊂ S`0 × J (for arbitrary `0 and an arbitrary domain J) with proofs Π ⊂ S` be given. The hash proof system is homomorphic if for every statement (h, J) ∈ Z, every acceptable proof π ∈Π for (h, J), and every endomorphism φ∈ End(S), we have that φ(π) is an acceptable proof for statement (φ(h), J).

Note that the homomorphic property only refers to the S part of the statement. The J com-ponent of the statement is unchanged.

We make a number of remarks and comments concerning our denitions:

• The error probability can be decreased exponentially by running copies based on indepen-dently selected keys in parallel.

• Such a hash proof system will be global in the sense that it does not essentially depend on the length ` or on the choice of the base vectors g,h. Furthermore, is assumed that the

generation of the secret verication key does not depend on the choice of base vectors. • Obviously, however, several technical details in the denition above will typically scale with

`. Also, all algorithms involved may take` and g,h as input (except secret key generation,

5.2 Our trapdoor language

We dene a natural language derived from set systems that simply singles out sequences of elements obtained by applying the same function to (a subset of) some xed sequence elements. We note that [25] use the related but dual concept of correlated products to obtain chosen-ciphertext security. Namely, they apply several trapdoor functions to the same preimage, while in our approach, we apply one function to several preimages. We also note that in their work, it is crucial that the functions can be inverted (using a trapdoor). We do not have this requirement.

Denition 11 (Trapdoor language). Let (S,Φ) be a set system, let `be a positive integer, and let

g∈S, h= (h1, . . . , h`)∈S`,

be base vectors. Then the trapdoor language Lassociated to (S,Φ) and g,h is dened as

L={(c,d, J)∈S×SJ× J | ∃χ∈Φsuch that c=χ(g)∧d=χ(hJ)},

where J consists of all non-empty subsets of {1, . . . , `}. Such a function χ ∈ Φ (not necessarily unique) is called a witness.

In the remaining part of this section we show the following theorem.

Theorem 12 (HPS for our trapdoor language). Let (S,Φ) be a an algebraic set system and let g ∈S, h ∈S` be randomly chosen base vectors. If g is normal (in the sense of Denition 6) and hi 6= 0 for alli, then there exists a homomorphic hash proof system for the language L. The error

probability is at most `/p, wherep is the smallest prime divisor of |S|.

The proof proceeds in two steps. First we prove the case ` = 1 and then we show how the general case follows from that by induction.

Let g ∈ S be normal, and let h ∈ S. Since g is normal, h = ρ(g) for some ρ ∈ Φ. We now construct a hash proof system for the trapdoor language L. The hash proof system is dened as follows.

Z ={(χ(g), ψ(h)) : χ, ψ∈Φ} ⊂S×S, (2)

L={(χ(g), χ(h)) : χ∈Φ} ⊂Z. (3)

(For simplicity and ease of presentation, we omit theJ component ofZ and L, since in case `= 1 this component is trivial.)

Setup. The verier chooses a random secret verication key (δ, ρ) ∈ Φ×Φ, and computes its projection

α=δ(g) +ρ(h).

Proof phase. The prover holds(c, d)∈Land a witnessχ∈Φsuch that

(c, d) = (χ(g), χ(h)).

He computes the proof

Verication. The verier checks whether

π=δ(c) +ρ(d).

Note that if the prover is honest, then indeed by commutativity

π =χ(α) =χ(δ(g) +ρ(h)) =δ(χ(g)) +ρ(χ(h)) =δ(c) +ρ(d).

Furthermore, it is clear that the hash proof system is homomorphic (according to Denition 10). We sketch why the above hash proof system satises the conditions of Denition 9. Let (c, d)∈Z. Suppose the prover falsely claims that(c, d)∈L. The pair(δ, ρ)is randomly distributed onΦ×Φ conditioned on the projection being equal to α. Then, by a technical lemma we will show in Section A.1, each solution z of the two equations α = δ(g) +ρ(h) and z =δ(c) +ρ(d) is equally likely to be the correct proof. Since there are at least p such solutions Theorem 12 now follows (for`= 1). A formal proof can be found in Appendix A.1. The case of general`will be considered in Appendix A.2.

6

IND

-

CCA

secure key encapsulation from algebraic set systems

Construction 13 (Chosen-ciphertext secure KEM from algebraic set systems). Let(S,Φ) a hard algebraic set system with randomness extractorExt:S→ {0,1}n_{. Further, assume a target collision}

resistant hash functionTonS (whose formal denition can be looked up in Appendix B). Forc∈S,

T(c) is encoded as a subset of {1, . . . ,2k}, with |T(c)|= k. Note that if T(c) 6=T(c0), then these two sets are incomparable by inclusion.

Key generation. Let (S,Φ) be an algebraic set system. Choose

g∈S, h= (h1, . . . , h2k)∈S2k.

Using Theorem 12, set up an instance of the homomorphic hash proof system from Section 5 (with negligible error probability ) for the trapdoor language L, resulting in a verication key κ∈ V. Note that proofs for membership inL are from a set Π⊆Sm for somem. Next, compute the projection value α=α(κ)∈ P. Finally, choose a functionχ∈Φ uniformly and compute

u=χ(g)∈S.

The public/secret key pair is

pk = (g, u,h, α)∈S×S×S2k× P, sk = (χ, κ)∈Φ× V.

Encapsulation. Givenpk = (g, u,h, α), choose a function ψ∈Φat random, and compute

c=ψ(g)

Next, computeJ =T(c)⊂ {1, . . . ,2k} and

Using ψ ∈ Φ, α ∈ P and d ∈ L, compute the proof π ∈ Π ⊆ Sm that (c,d, J) ∈ L. The ciphertext consists of the pair

(c,d, π)∈S×Sk×Sm,

and the session key is computed as

K=Ext(ψ(u))∈ {0,1}n_{. (4)}

Decapsulation. Given sk = (χ, κ) and a ciphertext (c,d, π) ∈ S1+k+m, compute J = T(c) ⊂ {1, . . . ,2n} and verify that π ∈ Sm proves (c,d, J) ∈ L. If the proof is invalid, reject. Otherwise, compute the session key as

K=Ext(χ(c))∈ {0,1}n.

Correctness. We argue that the above KEM satises correctness. Note that for correctly generated ciphertexts, we have that

(c,d, π) = (ψ(g), ψ(hJ), π),

whereπ is a proof that(c,d, J)∈L. By the homomorphic property of the hash proof system, π is a proof that (c,d,T(c)) ∈ L. Hence, correctly generated ciphertexts are not rejected. Furthermore,

χ(c) = (χ◦ψ)(g) =ψ(u),

which implies that decapsulation extracts the same key as encapsulation.

Theorem 14. If (S,Φ) is a hard algebraic set system, then the above KEM isIND-CCA secure in the sense of Denition 1.

Proof. We give a simulation of the IND-CCA experiment for an arbitrary PPT adversary A. It suces to construct a simulatorS such that the following holds. On input

(g, χ(g), ψ(g), E∗)

(with g, χ, ψ, E∗ as in Denition 5), S simulates the real IND-CCA experiment ExpCCA_KEM-_,real_A , and on input

(g, χ(g), ψ(g), R∗),

S simulates the randomIND-CCAexperimentExpCCA_KEM-_,rand_A .

Setup. So say that S is invoked on input (g, u, c∗, P), for c∗ = ψ(g), u = χ(g), and unknown χ, ψ∈Φ. Furthermore,P ∈ {0,1}n _{is either equal to the extractionE}∗ _{or random.}

First, S sets up a substitute decapsulation key that can be used to decrypt all ciphertexts except the challenge ciphertext, which will be constructed around ψ(g). Concretely, S computes from its own challenge (g, u, c∗, P) the valueJ∗ =T(c∗) ⊂ {1, . . . ,2k}. Then,S chooses uniformly

η= (η1, . . . , η2k)∈Φand denes

hi=ηi(g) for i∈J∗, (5)

Finally, S sets up a hash proof system for the trapdoor language L induced by g and h (see

Denition 11). Let κ and α be the corresponding verication key and its projection. Then, S denes a public keypk along with a substitute secret key sk0 as follows:

pk = (g, u,h, α)∈S×S`×S2k× P sk0= (η, κ)∈Φ`× V.

Note that by the uniformity of(S,Φ)(see Denition 6), the public keys prepared bySare statistically close to authentic public keys as produced by the key generation from Construction 13.

Challenge ciphertext and key. Next,Sprepares a challenge ciphertext(c∗,d∗, π∗)∈S×SJ∗× Sm. We have already dened c∗ above, so it remains to dened∗ = (d_i∗)i∈J∗ andπ. Namely,S sets

d∗_i =ηi(c∗) for i∈J∗. Since

d∗_i =ηi(c∗) =ηi(ψ(g)) =ψ(ηi(g)) i∈J∗

= ψ(hi),

this gives a(c∗,d∗)exactly as produced by the encapsulation algorithm of Construction 13. Because (c∗,d∗, J∗) ∈ L, a proof π for that statement can be produced using the verication key κ. This yields a challenge ciphertext (c∗,d∗, π∗) exactly as produced by the encapsulation algorithm.

Note that if S's challengeP satises

P =E∗=Ext((χ◦ψ)(g)),

then P equals the real key K as the encapsulation algorithm would have computed in (4), and henceP is distributed as the challenge keyK in the realIND-CCAexperiment ExpCCA_KEM-_,real_A . On the other hand, ifP is random, then clearly P is distributed as a random challenge key in theIND-CCA experiment ExpCCA_KEM-_,rand_A .

Decapsulation queries. S then invokes adversary A with public key pk0, challenge ciphertext

(c∗,d∗, π∗), and challenge keyP. By the above, this yields a view forAas in the real, resp. random IND-CCA experiment, depending on whetherP =E∗ or P is random.

It remains to implement a decapsulation oracle for A. To this end, assume that A makes a decapsulation query (c,d, π). First, we may assume c ∈ S, d ∈ SJ (for J = T(c)), and π ∈ Sm, since S is eciently recognizable. If π is not a correct proof of (c,d, J)∈Laccording toκ, thenS rejects, exactly as the authentic decapsulation algorithm would have done. In the following, we hence may further assume that π is a valid (with respect to verication key κ) proof that (c,d, J) ∈L. By the soundness of the hash proof system,3 _{this in particular implies that, with overwhelming}

probability, there exists _ψ˜_{∈Φwithψ(g) =}˜ _{cand ψ(h}˜ _{i) =di for all i∈J.} Observe that c=c∗ would implyJ∗ =J, so that for all i∈J∗ =J,

di = ˜ψ(hi) =ηi( ˜ψ(g)) =ηi(c) =ηi(c∗) =d∗i.

By the uniqueness of valid proofs, this would hence imply(c,d, π) = (c∗,d∗, π∗), which is a forbidden decapsulation query forA. Thus, we may even assume thatc6=c∗.

3_{We stress thatAonly gets to see a proofπ}∗_{of a valid statement, which could have already been derived from the}

projected keyα. Henceπ∗does not disturb a reduction to the soundness of the hash proof system. This distinguishes

Without loss of generality, from c6= c∗ it follows that J = T(c) 6= T(c∗) = J∗. (Otherwise, A has found aT-collision.) But J 6=J∗ implies that there exists ani∈J\J∗, i.e., an i∈J for which hi =ηi(g)·u. This allowsS to derive χ(c) using

di = ˜ψ(hi) = ˜ψ(ηi(g))·ψ(u) =˜ ηi( ˜ψ(g))·χ( ˜ψ(g)) =ηi(c)·χ(c)

and its knowledge about ηi. On the other hand,χ(c) allows to compute

K=Ext(χ(c))

exactly as the decapsulation algorithm. Hence, the prepared substitute secret key sk0 = (η, κ) can be used to answerA's decapsulation queries.

Summarizing, the prepared simulation shows Theorem 14.

7 Discussion and variants

Global parameters. Note that the set system(S,Φ)employed in our encryption scheme can be re-used in many instances of the scheme. (In other words, there is no trapdoor related directly to the denition of(S,Φ)itself.) In particular, in the RSA set system from Section 3.4, no knowledge about the factorization of the modulus N is required. That means thatN can be used as a global parameter for many parties.

Parallelization. In some of our examples from Section 3.4, the extracted values are only bits. This means that when implementing our genericCCA-secure encryption scheme with these examples, the corresponding KEM keys are only bits. However, it is possible to get larger keys by running several instances of the encryption scheme at once, without damaging the chosen-ciphertext security. Concretely, instead of publishing u = χ(g) in the public key, one can publish ui = χi(g) for

independently chosen χi ∈ Φ (i = 1, . . . , n). The sender still only uses one witness ψ ∈ Φ to

computec =ψ(g), but now can extract from n separate valuesψ(u1), . . . , ψ(un). The adaptation

of hash proof system and trapdoor language are straightforward. (However, we stress that in order to decrypt, there must be2kelementshi,1, . . . , hi,` for eachi= 1, . . . , n. Hence, not only the public

key size, but also the ciphertext size grows linearly inn.)

Compact ciphertexts. For concrete set system platforms, we can substantially reduce the size of ciphertexts (fromO(k) group elements toO(1)). To see how, recall that in the IND-CCA secure encryption scheme, the ciphertext contains (the projection of) a vectord=ψ(hJ), whereh is part

of the public key. The setup of h during the security proof (see (5)) has been chosen such that d allows to recover χ(c) as χ(c) =di/ηi(c) for any i∈ J \J∗. Now consider what happens if we

substitute the vectord in the ciphertext with a single element

D:=ψ Y

i∈J

hi

!

= Y

i∈J

ηi(c)

!

· 

 Y

i∈J\J∗

χ(c) 

.

Then, the simulation in the security proof can still derive Q

i∈J\J∗χ(c) = χ(c)∆ for ∆ :=|J\J∗|.

always computeψ(u)L. We can then modify the randomness extraction intoExt0(z) :=Ext(zL), such that the decapsulation can be computed fromχ(c)L_{(instead ofχ(c)). Note that this automatically}

allows to compress the proof part π of the ciphertext down to one element. In particular, the ciphertext size (in group elements) is now constant. However, our modications require that

(g, χ(g), ψ(g), E0) ≈c (g, χ(g), ψ(g), R), (7) where g ∈ S, χ, ψ ∈ Φ, and R ∈ {0,1}n _{are uniformly chosen, and E}0 _{= Ext}0_{(χ(ψ(g)) =}

Ext(χ(ψ(g))L) ∈ {0,1}n_{. Note that (7) holds in the case of the Die-Hellman- and RSA-based}

set systems from Section 3.4 (since Land the order of S are coprime).

References

[1] Daniel Bleichenbacher. Chosen ciphertext attacks against protocols based on the RSA encryp-tion standard PKCS #1. In Hugo Krawczyk, editor, CRYPTO'98, volume 1462 of LNCS, pages 112. Springer-Verlag, Berlin, Germany, August 1998.

[2] Dan Boneh and Xavier Boyen. Ecient selective-ID secure identity based encryption without random oracles. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT 2004, volume 3027 of LNCS, pages 223238. Springer-Verlag, Berlin, Germany, May 2004.

[3] Dan Boneh, Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext security from identity-based encryption. SIAM Journal on Computing, 36(5):915942, 2006.

[4] Xavier Boyen, Qixiang Mei, and Brent Waters. Direct chosen ciphertext security from identity-based techniques. In Vijayalakshmi Atluri, Catherine Meadows, and Ari Juels, editors, ACM CCS 05, pages 320329. ACM Press, November 2005.

[5] David Cash, Eike Kiltz, and Victor Shoup. The Twin Die-Hellman problem and applications. In Nigel P. Smart, editor, EUROCRYPT 2008, LNCS, pages 127145. Springer-Verlag, Berlin, Germany, April 2008.

[6] Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Hugo Krawczyk, editor, CRYPTO'98, volume 1462 of LNCS, pages 1325. Springer-Verlag, Berlin, Germany, August 1998.

[7] Ronald Cramer and Victor Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In Lars R. Knudsen, editor, EUROCRYPT 2002, volume 2332 of LNCS, pages 4564. Springer-Verlag, Berlin, Germany, April / May 2002. [8] Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption

schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1):167226, 2003.

[9] Danny Dolev, Cynthia Dwork, and Moni Naor. Non-malleable cryptography. In 23rd ACM STOC, pages 542552. ACM Press, May 1991.

[11] Roger Fischlin and Claus-Peter Schnorr. Stronger security proofs for RSA and Rabin bits. Journal of Cryptology, 13(2):221244, 2000.

[12] Rosario Gennaro and Yehuda Lindell. A framework for password-based authenticated key exchange. ACM Transactions on Information and System Security, 9(2):181234, 2006. [13] Goichiro Hanaoka and Kaoru Kurosawa. Ecient chosen ciphertext secure public key

en-cryption under the computational Die-Hellman assumption. In Josef Pieprzyk, editor, ASI-ACRYPT 2008, LNCS, pages 308325. Springer, December 2008.

[14] Dennis Hofheinz and Eike Kiltz. Secure hybrid encryption from weakened key encapsulation. In Alfred Menezes, editor, CRYPTO 2007, volume 4622 of LNCS, pages 553571. Springer-Verlag, Berlin, Germany, August 2007.

[15] Dennis Hofheinz and Eike Kiltz. The group of signed quadratic residues and applications. Manuscript, 2009.

[16] Dennis Hofheinz and Eike Kiltz. Practical chosen ciphertext secure encryption from factoring. In Antoine Joux, editor, EUROCRYPT 2009, LNCS, pages 313332. Springer, 2009.

[17] Eike Kiltz. Chosen-ciphertext security from tag-based encryption. In Shai Halevi and Tal Rabin, editors, TCC 2006, volume 3876 of LNCS, pages 581600. Springer-Verlag, Berlin, Germany, March 2006.

[18] Eike Kiltz, Krzysztof Pietrzak, Martijn Stam, and Moti Yung. A new randomness extraction paradigm for hybrid encryption. In Antoine Joux, editor, EUROCRYPT 2009, LNCS, pages 589608. Springer, 2009.

[19] Kaoru Kurosawa and Yvo Desmedt. A new paradigm of hybrid encryption scheme. In Matthew Franklin, editor, CRYPTO 2004, volume 3152 of LNCS, pages 426442. Springer-Verlag, Berlin, Germany, August 2004.

[20] Stefan Lucks. A variant of the Cramer-Shoup cryptosystem for groups of unknown order. In Yuliang Zheng, editor, ASIACRYPT 2002, volume 2501 of LNCS, pages 2745. Springer-Verlag, Berlin, Germany, December 2002.

[21] Moni Naor, Omer Reingold, and Alon Rosen. Pseudo-random functions and factoring. SIAM Journal on Computing, 31(5):13831404, 2002.

[22] Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In 22nd ACM STOC. ACM Press, May 1990.

[23] Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. In Richard E. Ladner and Cynthia Dwork, editors, 40th ACM STOC, pages 187196. ACM Press, May 2008. [24] Charles Racko and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Joan Feigenbaum, editor, CRYPTO'91, volume 576 of LNCS, pages 433444. Springer-Verlag, Berlin, Germany, August 1992.

A Proof of Theorem 12

A.1 Proof of Theorem 12: case `= 1

Recall the hash proof system provides in Section 5 (for the case ` = 1). We now prove that it satises the conditions of Denition 9. First note that since we assumed that g is normal (in the sense of Denition 3), there exists some ξ ∈Φ such that ξ(g) = h. This ξ is not given, merely its existence is required.

Lemma 15. Let (c, d)∈Z, and let χ, ψ∈Φ be such that χ(g) =c, ψ(h) =d. Then

(c, d)∈Z\L ⇐⇒ χ+ Ann(g)∩ψ+ Ann(h) =∅.

In particular,Z\L6=∅ if and only if Ann(g) + Ann(h) is proper inΦ.

Proof. Indeed, by elementary algebra, for xedg, c, the solutions inχto the equationχ(g) =cform a co-set of Ann(g) in Φ, i.e., it is of the form Ann(g) +χ with χ an arbitrary solution. Similarly, the solutions to the equationψ(h) =dare of the form Ann(h) +ψ. It is now clear that there exists χ∈Φsuch thatχ(g) =candχ(h) =dif and only if those two co-sets have non-empty intersection. This proves the rst part of Lemma 15.

To show the second part of the lemma, it suces to note that χ+ Ann(g)∩ψ+ Ann(h) =∅ is equivalent toχ−ψ6∈Ann(g) + Ann(h).

Lemma 16. Z\L6=∅.

Proof. Indeed, ifg, h∈S are such thatχ(g) =h and ω∈Ann(g), then

ω(h) =ω◦ξ(g) =ξ◦ω(g) =ξ(0) = 0.

Hence, Ann(g) ⊂ Ann(h), such that Ann(g) + Ann(h) = Ann(h). Our assumption h 6= 0 implies id6∈Ann(h), so thatAnn(h)is a proper subgroup ofΦ. Using Lemma 15, we obtain Lemma 16.

Next, x (c, d)∈Z\L,and x χ, ψ∈Φsuch thatχ(g) =c and ψ(h) =d. (Since g is assumed normal, the existence of suchχ, ψ is guaranteed.) For given a, z∈S, consider the equations

a=δ(g) +ρ(h)

z=δ(c) +ρ(d).

in the unknowns δ, ρ. Let H(a, z) ⊂ Φ×Φ denote the set of solutions. Note that H(0,0) is a subgroup of Φ×Φ. Let G(a) denote the set of all z ∈ S with H(a, z) 6= ∅. Note that G(0) is a subgroup of S. The following observations are trivial. IfH(a, z)is non-empty, then it is a co-set of H(0,0)inΦ×Φ. Similarly, ifG(a) is non-empty, then it is a co-set of G(0)inS.

Lemma 17. Given any(c, d)∈Z\L, it holds thatG(0)is non-trivial, i.e., there existδ, ρ∈Φ, z ∈S such that

0 =δ(g) +ρ(h)

Proof. So it remains to construct the claimed(δ, ρ)∈Φ×Φfrom Lemma 17. Recall that h=ξ(g) and c=χ(g). Set

δ:=ξ and ρ:=−id.

By denition,

δ(g) +ρ(h) =ξ(g)−h= 0.

Furthermore, (c, d)6∈L implies that

δ(c) +ρ(d) =ξ(c)−d=ξ(χ(g))−d=χ(h)−d6= 0.

(Sinceχ(h) =dwould imply(c, d) = (χ(g), χ(h))and hence(c, d)∈L.) This proves Lemma 17. Proof of Theorem 12 for`= 1. Let (c, d) ∈ Z. Suppose the prover falsely claims that (c, d) ∈ L. The pair (δ, ρ) is randomly distributed on Φ×Φ conditioned on the projection being equal to α. Thus, by Lemma 17, each element π0 ∈ G(α) is equally likely to be the correct proof, since |H(α, π0<sub>)|=|H(0,0)|. As |G(α)|=|G(0)| ≥p, Theorem 12 now follows (for`= 1).</sub>

A.2 Proof of Theorem 12: the general case

Assume parameters(g,h)∈S×S` withh= (h1, . . . , h`), such thatg is normal. Sinceg is normal,

we may assume ξ1, . . . , ξ` ∈Φ withhi =ξi(g) for 1≤i≤`. Again, theseξi need not be explicitly

given, merely their existence is required.

• Setup. The verier chooses random secret verication keys

(δ1, ρ1), . . . ,(δ`, ρ`)∈Φ×Φ

and computes the projections

αi =δi(g) +ρi(hi)∈S (1≤i≤`)

• Proof phase. The prover gets as input a statement (c,d, J) (with J ⊆ {1, . . . , `} and

d= (di)i∈J) along with a witness χ∈Φsuch that

c=χ(g) and di =χ(hi) for i∈J .

He computes the proof

(πi)i∈J = (φ(αi))i∈J ∈SJ.

• Verication. The verier gets

(c,d, π)∈S×SJ ×SJ

for d= (di)i∈J and π= (πi)i∈J. The verier checks whether

πi =δi(c) +ρi(di)for all i∈J

Again, it is clear that the system is homomorphic.

First, we claim that for xed J, there exists invalid statements. Indeed, under the conditions of the proposition we can nd, as above, (c, d1) such that for no χ∈Φ it holds that χ(g) =c and

χ(h1) =d1. This can of course be trivially extended to an element ofZ\L.

Second, by applying the result for the case ` = 1, at rst sight the hash proof system above might only seem to prove that for each i∈J, there existsχi ∈Φ such thatχi(g) =c, χi(hi) =di.

However, these facts imply that for eachi∈J,χ1−χi ∈Ann(g).By the fact that each hi=ξi(g)

for someξi ∈Φ(sincegis normal), it follows for the same reasons as before thatχ1−χi∈Ann(hi).

But this implies that for i ∈ J, we have di = χi(hi) = χ1(hi). Hence (c,d, J) ∈ L, which proves

Theorem 12 for the general case.

B Target-collision resistant hashing

Informally, we say that a function T:{0,1}n _{→ {0,1}}k _{is a target-collision resistant (TCR) hash}

function [8] if, given a random preimagex∈ {0,1}n_{, it is hard to ndx}0 _{6=x withT(x}0_{) =T(x).} Denition 18 (TCR hash function). Let n=n(k)andT:{0,1}n_{→ {0,1}}k _{be a function. For an}

algorithm B, dene

AdvTCR_T,B(k) :=Pr

x←R{0,1}n, x

0 _{←B(x) : x}0 _6=x∧T(x0_{) =T(x)} .

We say that B (tT, T)-breaks T's TCR property (short: B (tT, T)-breaks T) iB's running time

is at most tT(k) and AdvTCRT,B (k)≥T(k). We say thatT is target-collision resistant if for all PPT